{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# The lack of PFS: a danger to privacy\n",
    "\n",
    "With TLS 1.2 and earlier, some cipher suites do not provide Perfect Forward Secrecy. Without this property, an attacker compromising the server private key can easily decrypt TLS traffic.\n",
    "\n",
    "In the following example, Scapy is used to decrypt a comunication made without PFS using the ciphersuite `TLS_RSA_WITH_AES_128_CBC_SHA`, giving the server private key stored in `raw_data/pki/srv_key.pem`."
   ]
  },
  {
   "metadata": {},
   "cell_type": "code",
   "source": [
    "from scapy.all import *\n",
    "load_layer('tls')"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "metadata": {},
   "cell_type": "code",
   "source": [
    "record1_str = open('raw_data/tls_session_compromised/01_cli.raw', 'rb').read()\n",
    "record1 = TLS(record1_str)\n",
    "record1.msg[0].show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "cell_type": "code",
   "metadata": {
    "scrolled": true
   },
   "source": [
    "record2_str = open('raw_data/tls_session_compromised/02_srv.raw', 'rb').read()\n",
    "record2 = TLS(record2_str, tls_session=record1.tls_session.mirror())\n",
    "record2.msg[0].show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "cell_type": "code",
   "metadata": {},
   "source": [
    "# Supposing that the private key of the server was stolen,\n",
    "# the traffic can be decoded by registering it to the Scapy TLS session\n",
    "key = PrivKey('raw_data/pki/srv_key.pem')\n",
    "record2.tls_session.server_rsa_key = key"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "cell_type": "code",
   "metadata": {},
   "source": [
    "record3_str = open('raw_data/tls_session_compromised/03_cli.raw', 'rb').read()\n",
    "record3 = TLS(record3_str, tls_session=record2.tls_session.mirror())\n",
    "record3.show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "cell_type": "code",
   "metadata": {},
   "source": [
    "record4_str = open('raw_data/tls_session_compromised/04_srv.raw', 'rb').read()\n",
    "record4 = TLS(record4_str, tls_session=record3.tls_session.mirror())\n",
    "record4.show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "cell_type": "code",
   "metadata": {},
   "source": [
    "# This is the first TLS Record containing user data. If decryption works,\n",
    "# you should see the string \"To boldly go where no man has gone before...\" in plaintext.\n",
    "record5_str = open('raw_data/tls_session_compromised/05_cli.raw', 'rb').read()\n",
    "record5 = TLS(record5_str, tls_session=record4.tls_session.mirror())\n",
    "record5.show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "metadata": {},
   "cell_type": "markdown",
   "source": [
    "# Decrypting TLS Traffic Protected with PFS\n",
    "\n",
    "When PFS is in action, the only way to break TLS 1.2 is to possess decryption keys. They can be retrieved by dumping the process memory, or making the TLS library to write then into a [NSS Key Log](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format) (as allowed by OpenSSL, Chrome or Firefox).\n",
    "\n",
    "The data used in the following examples was retrieved the following commands:\n",
    "```\n",
    "cd doc/notebooks/tls/raw_data/\n",
    "\n",
    "# Start a TLS Server using the s_server\n",
    "sudo openssl s_server -accept localhost:443 -cert pki/srv_cert.pem -key pki/srv_key.pem -WWW\n",
    "\n",
    "# Sniff the network and write packets to a file\n",
    "sudo tcpdump -i lo -w tls_nss_example.pcap port 443\n",
    "\n",
    "# Connect to the server using TLS 1.2 and TLS 1.3, and write the keys to a file\n",
    "echo -e \"GET /pki/srv_key.pem HTTP/1.0\\r\\n\" | openssl s_client -connect localhost:443 -keylogfile tls_nss_example.keys.txt -tls1_2 -ign_eof\n",
    "echo -e \"GET /pki/srv_key.pem HTTP/1.0\\r\\n\" | openssl s_client -connect localhost:443 -keylogfile tls_nss_example.keys.txt -tls1_3 -ign_eof\n",
    "```\n",
    "\n",
    "## Decrypt a PCAP files\n",
    "\n",
    "Scapy can parse NSS Key logs, and use the cryptographic material to decrypt TLS traffic from a pcap file."
   ]
  },
  {
   "metadata": {},
   "cell_type": "code",
   "source": [
    "load_layer(\"tls\")\n",
    "\n",
    "conf.tls_session_enable = True\n",
    "conf.tls_nss_filename = \"raw_data/tls_nss_example.keys.txt\"\n",
    "\n",
    "packets = sniff(offline=\"raw_data/tls_nss_example.pcap\", session=TCPSession)"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "metadata": {},
   "cell_type": "code",
   "source": [
    "# Display the TLS1.2 HTTP GET query\n",
    "packets[9][TLS].show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "metadata": {},
   "cell_type": "code",
   "source": [
    "# Display the answer containing the secret\n",
    "packets[10][TLS].show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "metadata": {},
   "cell_type": "code",
   "source": [
    "# Display the TLS1.3 HTTP GET query\n",
    "packets[27][TLS13].show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "metadata": {},
   "cell_type": "code",
   "source": [
    "# Display the answer containing the secret\n",
    "packets[28][TLS13].show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Decrypt Manually\n",
    "\n",
    "Internally, the `conf.tls_session_enable` parameter makes Scapy follows TCP records, such as Client Hello or Server Hello, and updates `tlsSession` objects.\n",
    "\n",
    "Scapy inner behavior is illustrated by the following example."
   ]
  },
  {
   "cell_type": "code",
   "metadata": {},
   "source": [
    "# Read packets from a pcap\n",
    "load_layer(\"tls\")\n",
    "\n",
    "conf.tls_session_enable = False\n",
    "packets = rdpcap(\"raw_data/tls_nss_example.pcap\")\n",
    "\n",
    "# Load the keys from a NSS Key Log\n",
    "nss_keys = load_nss_keys(\"raw_data/tls_nss_example.keys.txt\")"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "cell_type": "code",
   "metadata": {},
   "source": [
    "# Parse the Client Hello message from its raw bytes. This configures a new tlsSession object\n",
    "client_hello = TLS(raw(packets[3][TLS]))\n",
    "\n",
    "# Parse the Server Hello message, using the mirrored client_hello tlsSession object\n",
    "server_hello = TLS(raw(packets[5][TLS]), tls_session=client_hello.tls_session.mirror())\n",
    "\n",
    "# Configure the TLS master secret retrieved from the NSS Key Log\n",
    "server_hello.tls_session.master_secret = nss_keys[\"CLIENT_RANDOM\"][client_hello.tls_session.client_random]\n",
    "server_hello.tls_session.compute_ms_and_derive_keys()\n",
    "\n",
    "# Parse remaining TLS messages\n",
    "client_finished = TLS(raw(packets[7][TLS]), tls_session=server_hello.tls_session.mirror())\n",
    "server_finished = TLS(raw(packets[8][TLS]), tls_session=client_finished.tls_session.mirror())"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "cell_type": "code",
   "metadata": {},
   "source": [
    "# Display the HTTP GET query\n",
    "http_query = TLS(raw(packets[9][TLS]), tls_session=server_finished.tls_session.mirror())\n",
    "http_query.show()"
   ],
   "outputs": [],
   "execution_count": null
  },
  {
   "cell_type": "code",
   "metadata": {},
   "source": [
    "# Display the answer containing the secret\n",
    "http_response = TLS(raw(packets[10][TLS]), tls_session=http_query.tls_session.mirror())\n",
    "http_response.show()"
   ],
   "outputs": [],
   "execution_count": null
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3 (ipykernel)",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.9.1"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 2
}
